<HTML>
<BODY BGCOLOR=white>
<PRE>
<!-- Manpage converted by man2html 3.0.1 -->
NAME
     util/sgeCA/sge_ca - Sun Grid Engine CSP Support control com-
     mand

SYNTAX
     sge_ca command [command options]

DESCRIPTION
     sge_ca controls a simple Sun Grid Engine Certificate Author-
     ity that is used for the special Certificate Security Proto-
     col (CSP) mode.  CSP mode improves the security behavior  of
     Sun  Grid  Engine  by enabling OpenSSL secured communication
     channels and  X509v3  certificates  for  authentication.  In
     addition  it  is  possible  to export the key material or to
     create JKS keystores for the JMX connector.   It  follows  a
     list  of  possible  commands  and command options to give an
     overview  which  functionality  is  available.  For  further
     details  about  every  command  refer to the COMMAND DETAILS
     section.

COMMAND OVERVIEW
     sge_ca [-help]
          show usage

     sge_ca -init [command options]
          create the infrastructure for a  new  Sun  Grid  Engine
          Certificate  Authority with its corresponding files and
          directories and a set of keys and certificates for  SGE
          Daemon, root and admin user.

     sge_ca -req | -verify &lt;cert&gt; | -sign | -
          copy [command options]
          manipulate individual keys and certificates

     sge_ca -print &lt;cert&gt; | -printkey &lt;key&gt; | -printcrl &lt;crl&gt;
          print out certificates, keys and certificate revocation
          lists in human readable form.

     sge_ca -showCaTop | -showCaLocalTop [command options]
          echo the $CATOP or $CALOCALTOP directory. This  command
          is  usually  run as root on the qmaster host after a CA
          infrastructure has been  created.  If  "-cadir"  or  "-
          catop"  or  "-calocaltop"  are  set  the  corresponding
          directories are printed.

<u:g:e&gt; [command options]
     sge_ca -usercert  &lt;user  file&gt;  |  -user  &lt;u:g:e&gt;  |  -
          sdm_daemon
          are used for creation of certificates and  keys  for  a
          bunch  of users contained in &lt;user file&gt;, a single user
          or SDM daemon &lt;u:g:e&gt;. (see <B><A HREF="../htmlman1/hedeby_introduction.html?pathrev=V62u5_TAG">hedeby_introduction(1)</A></B> )

options]
     sge_ca -pkcs12 &lt;user&gt; | -sdm_pkcs12 &lt;g&gt;  |  -
          sys_pkcs12  [command
          are used to export the certificate  and  key  for  user
          &lt;user&gt; or SDM daemon &lt;g&gt; in pkcs12 format and to export
          the SGE Daemon certificate and key in pkcs12 format.

     sge_ca -userks | -ks &lt;user&gt; | -sysks [command options]
          are used for creation of keystore for all users with  a
          certificate  and  key,  the  keystore for a single user
          &lt;user&gt; and the keystore containing the SGE Daemon  cer-
          tificate and key.

[command options]
     sge_ca -renew &lt;user&gt; | -renew_ca | -renew_sys  |  -
          renew_sdm  &lt;g&gt;
          are used to renew the  corresponding  certificates  for
          user &lt;user&gt;, for the CA, for the SGE Daemon certificate
          and for the SDM daemon &lt;g&gt; certificate.

     where "[command options]" is a combination of the  following
     options  depending  on the command. The COMMAND DETAILS sec-
     tion explains which options are usable for each command.

     -days &lt;days&gt;
          days of validity of the certificate

     -sha1
          use sha-1 instead of md5 as message digest

     -encryptkey
          use des to encrypt the generated  private  key  with  a
          passphrase.  The  passphrase is requested when a key is
          created or used.

     -outdir &lt;dir&gt;
          write to directory &lt;dir&gt;

     -cahost &lt;host&gt;
          define CA hostname (CA master host)

     -cadir &lt;dir&gt;
          define $CALOCALTOP and $CATOP settings

     -calocaltop &lt;dir&gt;
          define $CALOCALTOP setting

     -catop &lt;dir&gt;
          define $CATOP setting

     -kspwf &lt;file&gt;
          define  a  keystore  password  file  that  contains   a
          password  that  is used to encrypt the keystore and the
          keys contained therein

     -ksout &lt;file&gt;
          define output file to write the keystore to

     -pkcs12pwf &lt;file&gt;
          define a pkcs12 password file that contains a  password
          that  is used to encrypt the pkcs12 export file and the
          keys contained therein

     -pkcs12dir &lt;dir&gt;
          define the output directory &lt;dir&gt; to write the exported
          pkcs12  format  file  to. Otherwise the current working
          directory is used.

COMMAND DETAILS
[-adminuser &lt;admin&gt;] [-days &lt;num days&gt;]
     sge_ca -init [-cadir &lt;dir&gt;] [-catop  &lt;dir&gt;]  [-
          calocaltop  &lt;dir&gt;]
          The -init command creates a new Sun Grid Engine  certi-
          ficate  authority  and its corresponding files. Usually
          "sge_ca -init" is run by user root on the master  host.
          If  the options -adminuser, -cadir, -calocaltop, -catop
          and the Sun Grid Engine environment variables SGE_ROOT,
          SGE_CELL  and  SGE_QMASTER_PORT  are  set the CA direc-
          tories are created in the following locations:
          two letter country code, state, location, e.g  city  or
          your  buildingcode,  organization  (e.g.  your  company
          name), organizational unit, e.g. your department, email
          address of the CA administrator (you!)

          Certificates and keys are generated for the CA  itself,
          for SGE Daemon, for SGE install user (usually root) and
          finally for the SGE admin user.

          How and where the certificates and keys are created can
          be influenced additionally by:
          -days &lt;days&gt; change the time of validity of the  certi-
          ficates to number of &lt;days&gt; instead of 365 days
          -sha1 change the message digest algorithm from  md5  to
          sha-1
          -encryptkey  encrypt  the   generated   keys   with   a
          passphrase
          -adminuser &lt;user&gt; use &lt;user&gt; as admin user
          -cahost &lt;host&gt; use &lt;host&gt; as the CA master host
          [-cadir &lt;dir&gt;] [-catop &lt;dir&gt;  [-calocaltop  &lt;dir&gt;]  set
          $CATOP  and  $CALOCALTOP to &lt;dir&gt; to use something dif-
          ferent than the Sun Grid  Engine  default  directories.
          Either  -cadir  &lt;dir&gt;  has  to  be specified to replace
          $CATOP and $CALOCALTOP by the same directory or  -catop
          &lt;dir&gt; for $CATOP and -calocaltop &lt;dir&gt; for $CALOCALTOP.

<dir&gt;] [-adminuser &lt;admin&gt;] [-days &lt;days&gt;]
     sge_ca -user &lt;u:g:e&gt; [-cadir &lt;dir&gt;] [-catop  &lt;dir&gt;]  [-
          calocaltop
          generate certificate and keys for &lt;u:g:e&gt; with  u='Unix
          user   account  name',  g='common  name'  and  e='email
          address'. By default the certificate is valid  for  365
          days  or  by  &lt;days&gt; specified with -days &lt;days&gt;.  This
          command is usually run as  user  root  on  the  qmaster
          host. $CATOP and $CALOCALTOP maybe overruled by -cadir,
          -catop and -calocaltop.

     sge_ca -sdm_daemon &lt;u:g:e&gt;
          generate daemon certificate and keys for  &lt;u:g:e&gt;  with
          u='Unix   user   account  name',  g='common  name'  and
          e='email address'. By default the certificate is  valid
          for  365  days  or  by  &lt;days&gt;  specified  with  "-days
          &lt;days&gt;". This command is usually run as  user  root  on
          the qmaster host.

calocaltop   &lt;dir&gt;]   [-adminuser   &lt;admin&gt;]  [-days  &lt;days&gt;]  [-
encryptkey] [-sha1]
     sge_ca -usercert &lt;user file&gt; [-cadir  &lt;dir&gt;]  [-
          catop  &lt;dir&gt;]  [-
          Usually sge_ca -usercert &lt;user file&gt;  is  run  as  user
          root  on the master host. The argument &lt;user file&gt; con-
          tains a list of users in the following format:

              eddy:Eddy Smith:eddy@griders.org
              sarah:Sarah Miller:sarah@griders.org
              leo:Leo Lion:leo@griders.org

          where the fields separated by colon are:
              Unix user:Gecos field:email address

<dir&gt;] [-adminuser &lt;admin&gt;] [-days &lt;days&gt;]
     sge_ca -renew &lt;user&gt; [-cadir &lt;dir&gt;] [-catop  &lt;dir&gt;]  [-
          calocaltop
          Renew the certificate for &lt;user&gt;. By default the certi-
          ficate  is extended for 365 days or by &lt;days&gt; specified
          with -days &lt;days&gt;. If the value is negative the  certi-
          ficate becomes invalid.  This command is usually run as
          user root on the qmaster host. $CATOP  and  $CALOCALTOP
          maybe overruled by -cadir, -catop and -calocaltop.

<dir&gt;] [-adminuser &lt;admin&gt;] [-days &lt;days&gt;]
     sge_ca  -renew_ca  [-cadir  &lt;dir&gt;]  [-catop  &lt;dir&gt;]  [-
          calocaltop
          Renew the CA certificate. By default the certificate is
          extended for 365 days or by &lt;days&gt; specified with -days
          &lt;days&gt;.  If  the  value  is  negative  the  certificate
          becomes  invalid.   This command is usually run as user
          root on the qmaster host. $CATOP and $CALOCALTOP  maybe
          overruled by -cadir, -catop and -calocaltop.

<dir&gt;] [-adminuser &lt;admin&gt;] [-days &lt;days&gt;]
     sge_ca -renew_sys  [-cadir  &lt;dir&gt;]  [-catop  &lt;dir&gt;]  [-
          calocaltop
          Renew the SGE Daemon certificate. By default the certi-
          ficate  is extended for 365 days or by &lt;days&gt; specified
          with -days &lt;days&gt;. If the value is negative the  certi-
          ficate becomes invalid.  This command is usually run as
          user root on the qmaster host. $CATOP  and  $CALOCALTOP
          maybe overruled by -cadir, -catop and -calocaltop.

<dir&gt;] [-adminuser &lt;admin&gt;] [-days &lt;days&gt;]
     sge_ca -renew_sdm &lt;g&gt; [-cadir &lt;dir&gt;] [-catop &lt;dir&gt;]  [-
          calocaltop
          Renew the SDM daemon certificate of &lt;g&gt;, where  &lt;g&gt;  is
          the  common name of the daemon. By default the certifi-
          cate is extended for 365 days or  by  &lt;days&gt;  specified
          with  -days &lt;days&gt;. If the value is negative the certi-
          ficate becomes invalid.  This command is usually run as
          user  root  on the qmaster host. $CATOP and $CALOCALTOP
          maybe overruled by -cadir, -catop and -calocaltop.

cadir  &lt;dir&gt;]  [-catop  &lt;dir&gt;]  [-calocaltop  &lt;dir&gt;]  [-adminuser
<admin&gt;]
     sge_ca -pkcs12 &lt;user&gt; [-pkcs12pwf &lt;file&gt;] [-
          pkcs12dir  &lt;dir&gt;]  [-
          export certificate and key of  user  &lt;user&gt;  'the  Unix
          user  name'  in  pkcs12 format. This command is usually
          run as user root on the  qmaster  host.  If  -pkcs12pwf
          &lt;file&gt;  is used the file and the corresponding key will
          be encrypted with the password in &lt;file&gt;. If -pkcs12dir
          &lt;dir&gt;   is   used  the  output  file  is  written  into
          &lt;dir&gt;/&lt;user&gt;.p12 instead of ./&lt;user&gt;.p12 .  $CATOP  and
          $CALOCALTOP  maybe  overruled  by  -cadir,  -catop  and
          -calocaltop.

<dir&gt;] [-catop &lt;dir&gt;] [-calocaltop &lt;dir&gt;] [-adminuser &lt;admin&gt;]
     sge_ca -sys_pkcs12 [-pkcs12pwf &lt;file&gt;] [-
          pkcs12dir &lt;dir&gt;] [-cadir
          export certificate and key of SGE Daemon in pkcs12 for-
          mat.  This  command  is usually run as user root on the
          qmaster host. If -pkcs12pwf &lt;file&gt; is used the file and
          the  corresponding key will be encrypted with the pass-
          word in &lt;file&gt;. If -pkcs12dir &lt;dir&gt; is used the  output
          file   is  written  into  &lt;dir&gt;/&lt;user&gt;.p12  instead  of
          ./&lt;user&gt;.p12 . $CATOP and $CALOCALTOP  maybe  overruled
          by -cadir, -catop and -calocaltop.

cadir  &lt;dir&gt;]  [-catop  &lt;dir&gt;]  [-calocaltop  &lt;dir&gt;]  [-adminuser
<admin&gt;]
     sge_ca -sdm_pkcs12 &lt;g&gt; [-pkcs12pwf &lt;file&gt;] [-
          pkcs12dir &lt;dir&gt;]  [-
          export certificate and  key  of  daemon  &lt;g&gt;  g='common
          name'  in pkcs12 format. This command is usually run as
          user root on the qmaster host. If -pkcs12pwf &lt;file&gt;  is
          used  the  file  and  the  corresponding  key  will  be
          encrypted with the password in  &lt;file&gt;.  If  -pkcs12dir
          &lt;dir&gt;   is   used  the  output  file  is  written  into
          &lt;dir&gt;/&lt;g&gt;.p12 instead of ./&lt;g&gt;.p12 . $CATOP and  $CALO-
          CALTOP  maybe overruled by -cadir, -catop and -calocal-
          top.

[-catop &lt;dir&gt;] [-calocaltop &lt;dir&gt;] [-adminuser &lt;admin&gt;]
     sge_ca -ks &lt;user&gt; [-ksout &lt;file&gt;] [-kspwf &lt;file&gt;] [-
          cadir  &lt;dir&gt;]
          create a keystore containing  certificate  and  key  of
          user &lt;user&gt; in JKS format where &lt;user&gt; is the Unix user
          name. This command is usually run as user root  on  the
          qmaster host. If -kspwf &lt;file&gt; is used the keystore and
          the corresponding key will be encrypted with the  pass-
          word  in &lt;file&gt;. The -ksout &lt;file&gt; option specifies the
          keystore file that is created.  If  the  -ksout  &lt;file&gt;
          option is missing the default location for the keystore
          is $CALOCALTOP/userkeys/&lt;user&gt;/keystore.  This  command
          is usually invoked by sge_ca -userks. A prerequisite is
          a valid JAVA_HOME environment variable setting.  $CATOP
          and  $CALOCALTOP  maybe overruled by -cadir, -catop and
          -calocaltop.

calocaltop &lt;dir&gt;] [-adminuser &lt;admin&gt;]
     sge_ca -userks [-kspwf &lt;file&gt;] [-cadir &lt;dir&gt;] [-
          catop  &lt;dir&gt;]  [-
          generate a keystore in JKS format for all users  having
          a  key and certificate.  This command is usually run as
          user root on the qmaster host.   If  -kspwf  &lt;file&gt;  is
          used  the  keystore  and  the corresponding key will be
          encrypted with the password in  &lt;file&gt;.   The  keystore
          files             are             created            in
          $CALOCALTOP/userkeys/&lt;user&gt;/keystore. This  command  is
          run  after user certificates and keys have been created
          with sge_ca -usercert &lt;userfile&gt; or if any of the  cer-
          tificates  have  been  renewed.  $CATOP and $CALOCALTOP
          maybe overruled by -cadir, -catop and -calocaltop.

calocaltop &lt;dir&gt;] [-adminuser &lt;admin&gt;]
     sge_ca -sysks [-kspwf &lt;file&gt;] [-cadir &lt;dir&gt;]  [-
          catop  &lt;dir&gt;]  [-
          generate a keystore containing the SGE Daemon  certifi-
          cate  and  key  in JKS format.  This command is usually
          run as user root on the qmaster host.  If -kspwf &lt;file&gt;
          is  used the keystore and the corresponding key will be
          encrypted with the password in  &lt;file&gt;.   The  keystore
          file is created in $CALOCALTOP/private/keystore. $CATOP
          and $CALOCALTOP maybe overruled by -cadir,  -catop  and
          -calocaltop.

     sge_ca -print &lt;cert&gt;
          Print a certificate where &lt;cert&gt; is  the  corresponding
          certificate in pem format.

     sge_ca -printkey &lt;key&gt;
          Print a key where &lt;key&gt; is the corresponding key in pem
          format.

     sge_ca -printcrl &lt;crl&gt;
          Print a certificate revocation list where &lt;crl&gt; is  the
          corresponding  certificate  revocation list in pem for-
          mat.

     sge_ca -printcrl &lt;crl&gt;
          Print a certificate revocation list where &lt;crl&gt; is  the
          corresponding  certificate  revocation list in pem for-
          mat.

adminuser  &lt;admin&gt;] [-days &lt;days&gt;] [-encryptkey] [-sha1] [-outdir
<dir&gt;]
     sge_ca -req [-cadir &lt;dir&gt;] [-catop &lt;dir&gt;] [-
          calocaltop &lt;dir&gt;]  [-
          create a private key and a certificate request for  the
          calling  user.  This  are  created  as  newkey.pem  and
          newreq.pem in the current working  directory.   If  the
          option -outdir &lt;dir&gt; is specified in addition the files
          are created in &lt;dir&gt;.

[-adminuser  &lt;admin&gt;]  [-days  &lt;days&gt;]  [-encryptkey]  [-sha1] [-
outdir &lt;dir&gt;
     sge_ca -sign [-cadir &lt;dir&gt;] [-catop  &lt;dir&gt;]  [-
          calocaltop  &lt;dir&gt;]
          Sign a certificate request. The  CA  certificate  under
          $CATOP  (default: $SGE_ROOT/$SGE_CELL/common/sgeCA) and
          CA      key      from       $CALOCALTOP       (default:
          /var/sgaCA/{port$SGE_QMASTER_PORT|sge_qmaster}/$SGE_CELL)
          are used for the signature.  If $CATOP and  $CALOCALTOP
          are  set to a different directory the information there
          is used. The certificate is created as  newcert.pem  in
          the current working directory or in &lt;dir&gt; if the option
          -outdir &lt;dir&gt;  has  been  specified.  In  addition  the
          option  "-days  &lt;number  of  days&gt;" can be specified to
          change the default validity from 365 to number of days.

<dir&gt;] [-adminuser &lt;admin&gt;]
     sge_ca -verify &lt;cert&gt; [-cadir &lt;dir&gt;] [-catop &lt;dir&gt;]  [-
          calocaltop
          Verify a certificates  validity  where  &lt;cert&gt;  is  the
          corresponding  certificate  in  pem  format. $CATOP and
          $CALOCALTOP can be  overruled  by  -cadir,  -catop  and
          -calocaltop.

     sge_ca -copy [-cadir &lt;dir&gt;] [-catop &lt;dir&gt;] [-
          calocaltop &lt;dir&gt;]
          sge_ca -copy is run by a user to copy the users  certi-
          ficate    and    key    on    the    master   host   to
          $HOME/.sge/port$SGE_QMASTER_PORT/$SGE_CELL/certs/cert.pem
          and     the     corresponding     private     key    in
          $HOME/.sge/port$SGE_QMASTER_PORT/$SGE_CELL/private/key.pem
          which  are  used  instead  of  the  files in $CATOP and
          $CALOCALTOP. The command is only recommended for  test-
          ing  purposes or where $HOME is on a secure shared file
          system.

EXAMPLES
     # sge_ca -init -cadir /tmp -sha1 -encryptkey -days 31
          create a CA infrastructure in /tmp with  a  certificate
          validity  of 31 days using sha-1 instead of md5 as mes-
          sage digest.The keys are encrypted and a passphrase has
          to be entered during the creation of the different keys
          or during signing a certificate  with  the  created  CA
          key.

     # sge_ca -usercert /tmp/myusers.txt -cadir /tmp
          /tmp/myusers.txt contains user1:My User:user1@myorg.org
          and  user1  is  a valid Unix user account. Create a key
          and certificate for user1.

     # sge_ca -userks -cadir /tmp
          create a keystore for all users of the simple  CA.  The
          keystore is stored under /tmp/userkeys/&lt;user&gt;/keystore.

     # sge_ca -renew root -cadir /tmp -days -1
          make the root certificate temporarily invalid.

     # sge_ca -renew_ca -days 365 -cadir /tmp
          renew the CA certificate for 365 days

ENVIRONMENTAL VARIABLES
     SGE_ROOT       Specifies the location of the Sun Grid Engine
                    standard configuration files.

     SGE_CELL       If set, specifies the default Sun Grid Engine
                    cell.

RESTRICTIONS
     <I>sge</I>_<I>ca</I> The command must be  usually  called  with  Sun  Grid
     Engine  root  permissions  on  the  master  host.   For more
     details on the permission requirements consult the  detailed
     description for the different commands above.

FILES
     sge_ca creates a file tree starting in $CATOP and  $CALOCAL-
     TOP.     The     default     for     $CATOP    is    usually
     $SGE_ROOT/$SGE_CELL/common/sgeCA   and    for    $CALOCALTOP
     /var/sgeCA/{port$SGE_QMASTER_PORT|sge_qmaster}/$SGE_CELL
     where the subpaths beginning with $ expands to  the  content
     of the corresponding environment variable.

     In addition there may optionally exist the user  certificate
     in $HOME/.sge/port$SGE_QMASTER_PORT/$SGE_CELL/certs/cert.pem
     and     the      corresponding      private      key      in
     $HOME/.sge/port$SGE_QMASTER_PORT/$SGE_CELL/private/key.pem
     which are used instead of the files in $CATOP and  $CALOCAL-
     TOP. (see sge_ca -copy above)

SEE ALSO
     <B><A HREF="../htmlman8/sge_qmaster.html?pathrev=V62u5_TAG">sge_qmaster(8)</A></B>.

COPYRIGHT
     See <B><A HREF="../htmlman1/sge_intro.html?pathrev=V62u5_TAG">sge_intro(1)</A></B> for a full statement of rights and  permis-
     sions.































</PRE>
<HR>
<ADDRESS>
Man(1) output converted with
<a href="http://www.oac.uci.edu/indiv/ehood/man2html.html">man2html</a>
</ADDRESS>
</BODY>
</HTML>
